How IT pros protect and investigate their endpoints

More organizations are operating under the assumption that their network has already been compromised, or will be, according to a survey conducted by the SANS Institute.

Fifty-six percent of those surveyed assume that they have been breached or will be soon compared with 47 percent last year. However, organizations are not taking a proactive approach to detecting threats or achieving greater visibility into their networks.

SANS surveyed 1,827 IT professionals in the United States to explore how IT professionals monitor, assess, protect and investigate their endpoints, including servers. A majority of respondents were security analysts (33 percent), followed by security managers or chief information security officers (16 percent), and IT managers or CIOs (13 percent).

The survey results underscore that despite the increased assumption of compromise, visibility into endpoints remains an issue. Highlighting the need for detection at the endpoint, this year, 55 percent of respondents say that up to 30 percent of their incidents should have been detected by perimeter security measures but weren’t.

Furthermore, organizations admit that stealthy attacks are not the ones bypassing their defenses—39 percent reported that less than 10 percent of their adversaries were advanced or used stealth advanced exploit and hiding techniques.

“Relying solely on perimeter detection is insufficient to detect and root out threats. In fact, it appears that the lack of visibility into threats is increasing as organizations become overly dependent on perimeter defenses,” said Jake Williams, Instructor and Course Author at the SANS Institute. “Furthermore, many organizations are not proactively hunting for threats on their networks, which is a risky approach since they are not working under the assumption of compromise. Instead, many are simply waiting for alerts from defenses attackers have long since bypassed.”

Other key findings from the survey include:

Prevention – Thirty-four percent did not know what percentage of threats are detected through proactive discovery. This a double-fold increase from last year’s survey. Additionally, 25 percent indicated that they do not know what threats should have been blocked by firewalls, routers and other edge detection solutions.

Detection – Fifty-five percent of respondents say 30 percent of incidents should have been detected by perimeter security measures but weren’t, and almost a quarter of respondents were notified of a compromise by a third party.

Automation – For a majority of participants, false positive rates are unacceptably high, with 52 percent of organizations suffering false positive rates in excess of 20 percent. Automation levels continue to lag behind what respondents want. Respondents’ projections of achieving automation in 24 months remained relatively stable compared to last year.

Response – A majority (83 percent) need results from endpoint queries in an hour or less and 28 percent want that data in five minutes or less. The ability to quickly conduct investigations is a top priority.

Remediation – Wipe and reimage remains the most popular technique for remediating compromised endpoints according to 79 percent of respondents.

In addition to learning about respondents’ opinions about outsourcing or insourcing security response actions, the survey also measured the top five challenges to incident recovery. They were:

1. Assessing the impact
2. Determining the scope of a threat across multiple endpoints
3. Determining when the incident is fully remediated
4. Hunting for compromised endpoints
5. Determining what company confidential and/or regulated data was at risk because of compromised endpoints

“Cybercriminals are constantly looking for new ways to bypass security measures and no organization is immune from attack,” said Ken Basore, CIO for Guidance Software. “Organizations must embrace an aggressive approach – constantly searching for threats inside their network. In order to be vigilant, organizations must gain visibility into endpoints to determine what sensitive data is stored on them and be able to create a sustainable model of protection.”